Vulnerabilities > CVE-2017-16612 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP. It is also possible that an attack vector exists against the related code in cursor/xcursor.c in Wayland through 1.14.0.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 2 | |
| OS | 4 | |
| Application | 9 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-333-01.NASL description New libXcursor packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 104858 published 2017-11-30 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104858 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libXcursor (SSA:2017-333-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2017-333-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(104858); script_version("$Revision: 3.3 $"); script_cvs_date("$Date: 2018/01/26 17:57:43 $"); script_cve_id("CVE-2017-16612"); script_xref(name:"SSA", value:"2017-333-01"); script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : libXcursor (SSA:2017-333-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New libXcursor packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.618566 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8053c315" ); script_set_attribute( attribute:"solution", value:"Update the affected libXcursor package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:libXcursor"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2"); script_set_attribute(attribute:"patch_publication_date", value:"2017/11/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"13.0", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.1", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.37", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"14.0", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.2", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++; if (slackware_check(osver:"current", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"libXcursor", pkgver:"1.1.15", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1201.NASL description It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. For Debian 7 last seen 2020-03-17 modified 2017-12-11 plugin id 105117 published 2017-12-11 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105117 title Debian DLA-1201-1 : libxcursor security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1201-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105117); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-16612"); script_name(english:"Debian DLA-1201-1 : libxcursor security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. For Debian 7 'Wheezy', these problems have been fixed in version 1:1.1.13-1+deb7u2. We recommend that you upgrade your libxcursor packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/12/msg00002.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/libxcursor" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxcursor-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxcursor1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxcursor1-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxcursor1-udeb"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libxcursor-dev", reference:"1:1.1.13-1+deb7u2")) flag++; if (deb_check(release:"7.0", prefix:"libxcursor1", reference:"1:1.1.13-1+deb7u2")) flag++; if (deb_check(release:"7.0", prefix:"libxcursor1-dbg", reference:"1:1.1.13-1+deb7u2")) flag++; if (deb_check(release:"7.0", prefix:"libxcursor1-udeb", reference:"1:1.1.13-1+deb7u2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1003.NASL description According to the version of the libXcursor packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP.(CVE-2017-16612) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-01-19 plugin id 106144 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106144 title EulerOS 2.0 SP1 : libXcursor (EulerOS-SA-2018-1003) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106144); script_version("3.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2017-16612" ); script_name(english:"EulerOS 2.0 SP1 : libXcursor (EulerOS-SA-2018-1003)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the libXcursor packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP.(CVE-2017-16612) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1003 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6a5e223d"); script_set_attribute(attribute:"solution", value: "Update the affected libXcursor package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libXcursor"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:libXcursor-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(1)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP1", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["libXcursor-1.1.14-2.1.h1", "libXcursor-devel-1.1.14-2.1.h1"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"1", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXcursor"); }NASL family Fedora Local Security Checks NASL id FEDORA_2018-0EED1BE1C0.NASL description libXcursor 1.1.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-07 plugin id 107156 published 2018-03-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107156 title Fedora 26 : libXcursor (2018-0eed1be1c0) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-0eed1be1c0. # include("compat.inc"); if (description) { script_id(107156); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-16612"); script_xref(name:"FEDORA", value:"2018-0eed1be1c0"); script_name(english:"Fedora 26 : libXcursor (2018-0eed1be1c0)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "libXcursor 1.1.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-0eed1be1c0" ); script_set_attribute( attribute:"solution", value:"Update the affected libXcursor package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:libXcursor"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/01"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"libXcursor-1.1.15-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libXcursor"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4059.NASL description It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file. last seen 2020-06-01 modified 2020-06-02 plugin id 105120 published 2017-12-11 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105120 title Debian DSA-4059-1 : libxcursor - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4059. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(105120); script_version("3.5"); script_cvs_date("Date: 2018/11/13 12:30:46"); script_cve_id("CVE-2017-16612"); script_xref(name:"DSA", value:"4059"); script_name(english:"Debian DSA-4059-1 : libxcursor - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that libXcursor, a X cursor management library, is prone to several heap overflows when parsing malicious files. An attacker can take advantage of these flaws for arbitrary code execution, if a user is tricked into processing a specially crafted cursor file." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883792" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/libxcursor" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/libxcursor" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/libxcursor" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-4059" ); script_set_attribute( attribute:"solution", value: "Upgrade the libxcursor packages. For the oldstable distribution (jessie), these problems have been fixed in version 1:1.1.14-1+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1:1.1.14-1+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libxcursor"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libxcursor-dev", reference:"1:1.1.14-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxcursor1", reference:"1:1.1.14-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxcursor1-dbg", reference:"1:1.1.14-1+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxcursor1-udeb", reference:"1:1.1.14-1+deb8u1")) flag++; if (deb_check(release:"9.0", prefix:"libxcursor-dev", reference:"1:1.1.14-1+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxcursor1", reference:"1:1.1.14-1+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxcursor1-dbg", reference:"1:1.1.14-1+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libxcursor1-udeb", reference:"1:1.1.14-1+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1004.NASL description According to the version of the libXcursor packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - libXcursor before 1.1.15 has various integer overflows that could lead to heap buffer overflows when processing malicious cursors, e.g., with programs like GIMP.(CVE-2017-16612) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2018-01-19 plugin id 106145 published 2018-01-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106145 title EulerOS 2.0 SP2 : libXcursor (EulerOS-SA-2018-1004) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-196.NASL description This update for libXcursor fixes the following issues : - CVE-2017-16612: It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. (boo#1065386) last seen 2020-06-05 modified 2018-02-21 plugin id 106924 published 2018-02-21 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106924 title openSUSE Security Update : libXcursor (openSUSE-2018-196) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201801-04.NASL description The remote host is affected by the vulnerability described in GLSA-201801-04 (LibXcursor: User-assisted execution of arbitrary code) It was discovered that libXcursor is prone to several heap overflows when parsing malicious files. Impact : A remote attacker, by enticing a user to process a specially crafted cursor file, could possibly execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 105630 published 2018-01-08 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105630 title GLSA-201801-04 : LibXcursor: User-assisted execution of arbitrary code NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DDECDE18E33B11E7A29354E1AD3D6335.NASL description The freedesktop.org project reports : It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. last seen 2020-06-01 modified 2020-06-02 plugin id 105339 published 2017-12-18 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105339 title FreeBSD : libXcursor -- integer overflow that can lead to heap buffer overflow (ddecde18-e33b-11e7-a293-54e1ad3d6335) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3501-1.NASL description It was discovered that libxcursor incorrectly handled certain files. An attacker could use these issues to cause libxcursor to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104884 published 2017-11-30 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104884 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : libxcursor vulnerability (USN-3501-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-1C5DADA34B.NASL description libXcursor 1.1.15 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-03-07 plugin id 107157 published 2018-03-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107157 title Fedora 27 : libXcursor (2018-1c5dada34b) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-3214-1.NASL description This update for libXcursor fixes the following issues: Security issue fixed : - CVE-2017-16612: Fix integeroverflow while parsing images and a signedness issue while parsing comments (bsc#1065386). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105035 published 2017-12-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105035 title SUSE SLED12 / SLES12 Security Update : libXcursor (SUSE-SU-2017:3214-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0246-1.NASL description This update for xorg-x11-libs fixes several issues. These security issues were fixed : - CVE-2017-16612: Heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments (bsc#1065386). - CVE-2017-13720: Improper check for end of string in PatterMatch caused invalid reads (bsc#1054285) - CVE-2017-13722: Malformed PCF file could have caused DoS or leak information (bsc#1049692) - Prevent the X server from accessing arbitrary files as root. It is not possible to leak information, but special files can be touched allowing for causing side effects (bsc#1050459) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 106449 published 2018-01-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106449 title SUSE SLES11 Security Update : xorg-x11-libs (SUSE-SU-2018:0246-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3622-1.NASL description It was discovered that the Wayland Xcursor support incorrectly handled certain files. An attacker could use these issues to cause Wayland to crash, resulting in a denial of service, or possibly execute arbitrary code. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 108950 published 2018-04-10 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108950 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : wayland vulnerability (USN-3622-1)
References
- http://security.cucumberlinux.com/security/details.php?id=156
- http://www.openwall.com/lists/oss-security/2017/11/28/6
- http://www.ubuntu.com/usn/USN-3501-1
- https://bugzilla.suse.com/show_bug.cgi?id=1065386
- https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38
- https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
- https://lists.debian.org/debian-lts-announce/2017/12/msg00002.html
- https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
- https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2
- https://security.gentoo.org/glsa/201801-04
- https://usn.ubuntu.com/3622-1/
- https://www.debian.org/security/2017/dsa-4059